Office 365 Now Offers Security Scores and Assesses Risk

Microsoft has unveiled a new Secure Score feature for Office 365, enabling organizations to score their Office 365 security postures based on what settings are applied to their accounts, data and devices.

The Secure Score feature, announced Friday in advance of this week's RSA security conference in San Francisco, is designed to help organizations assess how their Office 365 security controls rank based on their own and other compliance requirements.

Secure Score aims to encourage habits that will ensure better security by helping Office 365 administrators discover all the security features and best practices available. However, if widely adopted, the feature could have other implications since the data will be matched against all other Office 365 customers, allowing outside regulators and insurance underwriters to assess an organization's risk profile.

Initially, only global administrators will have access to Secure Score. However, Microsoft said it plans to let them delegate it to other domain admins over time. The tool doesn't require any configuration, according to a four-minute video presentation by Brandon Koeller, principal Office 365 program manager lead at Microsoft.

Each organization's score is calculated based on controls available in Office 365 versus what a specific customer has set up, Koeller explained. The tool gives points based on the total number of controls implemented, including partial ones. In Koeller's demo, the total score was 93 points based on a total potential score of 243. Customers can also see how they rank against others, though Koeller pointed out that "there are millions of organizations of all type sizes and sophistication that are included in that calculation."

The service also shows a target score based on using every control available, even those not available to a specific administrator. At the same time, administrators need to balance user impact to ensure controls don't hamper productivity or, worse, tempt employees into looking for ways to circumvent them altogether, Koeller noted.

"It is important not to encourage shadow IT by being too restrictive but to encourage the right behavior," he said.

To find that balance, clicking on the Secure Score's "learn more" button will render a remediation pane that describes the intent of each control and its potential impact on users.

Using the tool's Score Analyzer feature, administrators can create reports over time and import data to a .CSV or .PDF file. In addition to providing impact analyses, Secure Score offers suggestions to improve security while also emphasizing controls with the lowest end-user impact.

One interesting implication of Secure Score could affect organizations that must adhere to industry and government regulations, as well as those who have cybersecurity insurance.

"Secure Score can play an important role in a holistic security strategy, which encompasses how an organization strengthens its risk controls, mitigates potential losses and offsets some of the risk," noted Alym Rayani, director of Microsoft's Office Security and Compliance team, in a blog post announcing the service.

According to Rayani, The Hartford is one insurer considering using Secure Score's metrics for conducting risk assessment. Commenting on that in Rayani's post, Tom Kang, head of cyber insurance at The Hartford, said: "We believe aligning the solutions between security and insurance can make a real difference. By encouraging the use of an innovative security analytics tool like Office 365 Secure Score and making it a part of the underwriting process, businesses have more information to make risk-based decisions around privacy and security, potentially reducing their exposure to loss."

Rayani also said the Office 365 Threat Intelligence service is now available for private preview and is scheduled for general availability later this quarter. In addition, he announced the Office 365 Advanced Data Governance preview, which he said uses machine learning to help assess data retention compliance and determine risks. It is also scheduled for general release later this quarter.

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.